|
1 | 1 | # Security Policy |
2 | | -Thank you for helping us keep our MCP servers secure. |
3 | 2 |
|
4 | | -The **reference servers** in this repo are maintained by [Anthropic](https://www.anthropic.com/) as part of the Model Context Protocol project. |
5 | | - |
6 | | -The security of our systems and user data is Anthropic's top priority. We appreciate the work of security researchers acting in good faith in identifying and reporting potential vulnerabilities. |
| 3 | +Thank you for helping keep the Model Context Protocol and its ecosystem secure. |
7 | 4 |
|
8 | 5 | ## Important Notice |
9 | 6 |
|
10 | | -The servers in this repository are **reference implementations** intended to demonstrate MCP features and SDK usage. They serve as educational examples for developers building their own MCP servers, not as production-ready solutions. |
| 7 | +The servers in this repository are **reference implementations** intended to demonstrate |
| 8 | +MCP features and SDK usage. They serve as educational examples for developers building |
| 9 | +their own MCP servers, not as production-ready solutions. |
| 10 | + |
| 11 | +This repository is **not** eligible for security vulnerability reporting. If you discover |
| 12 | +a vulnerability in an MCP SDK, please report it in the appropriate SDK repository. |
11 | 13 |
|
12 | | -**Bug bounties are not awarded for security vulnerabilities found in these reference servers.** Our bug bounty program applies exclusively to the [MCP SDKs](https://github.com/modelcontextprotocol) maintained by Anthropic. If you discover a vulnerability in an MCP SDK that is maintained by Anthropic, please report it through our vulnerability disclosure program below. |
| 14 | +## Reporting Security Issues in MCP SDKs |
13 | 15 |
|
14 | | -## Vulnerability Disclosure Program |
| 16 | +If you discover a security vulnerability in an MCP SDK, please report it through the |
| 17 | +[GitHub Security Advisory process](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability) |
| 18 | +in the relevant SDK repository. |
15 | 19 |
|
16 | | -Our Vulnerability Program guidelines are defined on our [HackerOne program page](https://hackerone.com/anthropic-vdp). We ask that any validated vulnerability in this functionality be reported through the [submission form](https://hackerone.com/anthropic-vdp/reports/new?type=team&report_type=vulnerability). |
| 20 | +Please **do not** report security vulnerabilities through public GitHub issues, discussions, |
| 21 | +or pull requests. |
0 commit comments